imporve methods

components/client-attestation-mgt/org.wso2.carbon.identity.client.attestation.mgt/src/main/java/org/wso2/carbon/identity/client/attestation/mgt/internal/ClientAttestationMgtServiceComponent.java

@@ -43,6 +43,7 @@
 
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.APPLE_ATTESTATION_REVOCATION_CHECK_ENABLED;
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.APPLE_ATTESTATION_ROOT_CERTIFICATE_PATH;
+import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.CERTIFICATE_EXPIRY_THRESHOLD;
 
 /**
  * OSGi declarative services component which handled registration and un-registration of
@@ -142,8 +143,8 @@ private boolean isCertificateExpiringSoon(X509Certificate certificate) {
  // Calculate the difference in days
  long differenceInDays = (expirationDate.getTime() - currentDate.getTime()) / (24 * 60 * 60 * 1000);
 
- // Check if the certificate is expiring within a month
- return differenceInDays <= 30;
+ // Check if the certificate is expiring within 3 months.
+ return differenceInDays <= CERTIFICATE_EXPIRY_THRESHOLD;
  }
 
  @Deactivate

components/client-attestation-mgt/org.wso2.carbon.identity.client.attestation.mgt/src/main/java/org/wso2/carbon/identity/client/attestation/mgt/services/ClientAttestationServiceImpl.java

@@ -147,6 +147,7 @@ public ClientAttestationContext validateAttestation(String attestationObject,
  * @return true if it is an Apple Attestation, false otherwise.
  */
  private boolean isAppleAttestation(String attestationObject) {
+
  // Create a CBOR factory and an ObjectMapper for CBOR serialization.
  CBORFactory factory = new CBORFactory();
  ObjectMapper cborMapper = new ObjectMapper(factory);

components/client-attestation-mgt/org.wso2.carbon.identity.client.attestation.mgt/src/main/java/org/wso2/carbon/identity/client/attestation/mgt/utils/Constants.java

@@ -58,5 +58,8 @@ public enum ClientTypes {
  public static final String X5C = "x5c";
  public static final String APPLE_APP_ATTEST = "apple-appattest";
  public static final String SHA_256 = "SHA-256";
+ public static final String X_509_CERTIFICATE_TYPE = "X.509";
+ public static final String PKIX = "PKIX";
+ public static final int CERTIFICATE_EXPIRY_THRESHOLD = 90;
 
 }

components/client-attestation-mgt/org.wso2.carbon.identity.client.attestation.mgt/src/main/java/org/wso2/carbon/identity/client/attestation/mgt/validators/AppleAttestationValidator.java

@@ -54,8 +54,11 @@
 
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.ATT_STMT;
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.AUTH_DATA;
+import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.CERTIFICATE_EXPIRY_THRESHOLD;
+import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.PKIX;
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.SHA_256;
 import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.X5C;
+import static org.wso2.carbon.identity.client.attestation.mgt.utils.Constants.X_509_CERTIFICATE_TYPE;
 
 /**
  * Implementation of the {@link ClientAttestationValidator} interface specific to Apple attestation.
@@ -79,6 +82,7 @@ public class AppleAttestationValidator implements ClientAttestationValidator {
  private String tenantDomain;
 
  private ClientAttestationMetaData clientAttestationMetaData;
+
  public AppleAttestationValidator(String applicationResourceId,
  String tenantDomain,
  ClientAttestationMetaData clientAttestationMetaData) {
@@ -162,7 +166,7 @@ private boolean verifyAppleAttestationStatement(Map<String, Object> cborMap,
  }
 
  // Load the attestation certificate and intermediate CA certificate from the attestation object
- CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+ CertificateFactory certificateFactory = CertificateFactory.getInstance(X_509_CERTIFICATE_TYPE);
  X509Certificate credCert = (X509Certificate) certificateFactory.generateCertificate(
  new ByteArrayInputStream(x5c.get(0)));
  X509Certificate caCert = (X509Certificate) certificateFactory.generateCertificate(
@@ -173,7 +177,7 @@ private boolean verifyAppleAttestationStatement(Map<String, Object> cborMap,
  CertPath certPath = certificateFactory.generateCertPath(certs);
 
  // Create a CertPathValidator and validate the certificate chain
- CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
+ CertPathValidator certPathValidator = CertPathValidator.getInstance(PKIX);
  PKIXParameters params = new PKIXParameters(Collections.singleton(new TrustAnchor(appleRootCA, null)));
  // In the context of PKIX (Public Key Infrastructure for X.509), revocation refers to the process of
  // declaring a digital certificate as invalid before its natural expiration date.
@@ -221,6 +225,9 @@ private boolean verifyAppleAuthData(Map<String, Object> cborMap,
  return false;
  }
  byte[] authData = (byte[]) authDataObject;
+ // As per the official documentation at
+ // https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server#3576643
+ // rpIdHash(Relaying Party Id) is the hash of the app’s App ID is represented with first 31 byte on authData.
  byte[] rpIdHash = Arrays.copyOfRange(authData, 0, 32);
 
  // Get the configured Apple App ID
@@ -279,8 +286,8 @@ private boolean isCertificateExpiringSoon(X509Certificate certificate) {
  // Calculate the difference in days
  long differenceInDays = (expirationDate.getTime() - currentDate.getTime()) / (24 * 60 * 60 * 1000);
 
- // Check if the certificate is expiring within month.
- return differenceInDays <= 30;
+ // Check if the certificate is expiring within 3 months.
+ return differenceInDays <= CERTIFICATE_EXPIRY_THRESHOLD;
  }
 
  /**